Power Sandbox: App Power Awareness Made Simple and Secure The quest for po

1. Power Sandbox: App Power Awareness Made Simple and Secure
2.  
3. The quest for power-awareness has lasted for more than a decade: software
4. wants know of their power consumption during execution, for identifying
5. power hotspots in the code, fairly sharing the energy resource, or
6. dynamically adapting software behaviors for better efficiency.
7.  
8. App power awareness is achieved by a combo of i) system-wide power
9. metering and ii) per-app accounting, both done at runtime. For metering,
10. most recent work uses power modeling: the OS collects software events that
11. may reflect hardware activities (e.g. CPU performance counters, syscall
12. trace, kernel activities, etc.) and infer the system-level power
13. consumption using power models (often linear models, trained offline or
14. online); for accounting, the inferred system-level power consumption is
15. divided among software identities following certain policies chosen by the
16. OS.
17.  
18. Although seemingly convenient to users, the above popular approaches
19. suffer from multiple inadequacies. Metering the system power through
20. modeling often requires non-trivial training effort per platform, which is
21. worsen by today's diverse hardware platforms populated with novel
22. accelerators, ranging from GPU to FPGA; furthermore, the inferred power
23. may depart from exact values depending on varying runtime conditions, such
24. as chip process variation (cite XXX) or ambient temperature (XXX), to a
25. non-trivial extent.
26.  
27. For power accounting, regardless of the chosen policy, power shares
28. attributed to individual apps are inevitably coupled due to aggressive
29. sharing of the hardware. The coupling has two implications: i)
30. interpretation difficulty: an app developer not only has to understand the
31. OS accounting policy (which is often implicit), but must also take into
32. account other apps' activities that she can hardly foresee beforehand; the
33. attributed power is unlikely reproducible across different runs because it
34. depends on the concurrently executed apps. ii) security threat: app, based
35. on the power share it receives, is able to learn other app's power
36. activities; the resulted power side channels (cite XXX) may severely
37. compromise the isolation among apps, as identified in prior work and
38. further confirmed us (Section XXX). The threat is amplified as the power
39. metering resolution goes up.
40.  
41. Seeing these inadequacies, we set to make power awareness a first-class OS
42. service that provides well-defined semantics (easy to interpret),
43. isolation (for security), and a cost accounting model (for fairness).
44.  
45. To meter the system power, we advocate obtaining the ground truth through
46. direct measurement, an approach often dismissed as inaccurate (due to low
47. sampling rate) or prohibitively expensive. Opposite to conventional
48. wisdom, we show that emerging hardware platforms are already equipped with
49. inexpensive power sensing circuits for their major power domains, as well
50. as inexpensive (¡$1), low-power microcontrollers that pre-process the
51. power samples efficiently. the software stack is able to meter the major
52. hardware components (e.g. CPU, GPU, or NIC) at fine temporal granularity
53. at 10 us and does so at low processing overhead.
54.  
55. Towards power accounting, our key insight is that the current difficulties
56. root in OS's unconstrained resource sharing: commodity OSes aggressively
57. multiplexes apps on hardware, being concurrent use (spatial multiplexing)
58. and time-slicing (temporal multiplexing). At the lowest level, this makes
59. the entailed power consumption indivisible among apps.
60.  
61. To this end, we present a new OS abstraction called power sandbox.
62. Encompassing one or a group of user processes, a power sandbox allows
63. these process(es) to meter their entailed power as if they are the only
64. processes executed on the metered hardware. The abstraction works in two
65. ways: i) a power sandbox learns its directly measured, reproducible power
66. consumption that is independent of other apps; ii) the power activities of
67. the remaining system is hidden from the power sandbox, which prevents the
68. power side channels.
69.  
70. figure: show power domains on juno
71.  
72. We realize power sandboxing as an overlay on the existing OS resource
73. scheduling and accounting. First, the OS principally constrains sharing so
74. that concurrent use of hardware respects the power sandbox boundary.
75. Second, the OS virtualizes hardware power state for each power sandboxes.
76. Third, the OS charges the lost opportunities in hardware sharing to
77. individual power sandboxes. Beyond this overlay, the OS still enjoys full
78. freedom in scheduling: it is at liberty to decide when to schedule
79. processes on hardware, and freely multiplex non-sandboxed processes
80. without constraints.
81.  
82. We have made the following contributions:
83. * We demonstrate that on emerging hardware platforms fine-grained power
84. metering through direct measurement is both practical and desirable.
85. * We present power sandbox, a novel OS abstraction, that enables simple
86. and secure power awareness at the process level. By cleanly isolating
87. the power activities for individual power sandboxes, power sandbox
88. provides easy-to-interpret, reproducible power metering to apps, and
89. eliminates the security risks poses by power side channel.
90. * We experimentally demonstrate that by leveraging the existing hardware
91. knowledge that an OS possesses, power sandbox can be added as a thin
92. layer. In our Linux-based prototype, we implemented power sandbox for
93. major power consuming hardware including CPU, GPU, DSP, flash storage,
94. and wireless network interface. We are able to realize power
95. sandboxing at low runtime overhead (XX % slow down) and slight
96. modification to a commodity OS kernel (XX sloc).